CHANGELOG

v4.0.0 (2026-05-13)

Bug Fixes

Was reassigning on every loop iteration, so the returned value was the score of the last

vulnerability rather than the highest. Components with multiple vulnerabilities displayed the wrong color and severity label.

Co-Authored-By: Claude Sonnet 4.6 noreply@anthropic.com

Signed-off-by: Paul Horton phorton@sonatype.com

Signed-off-by: Paul Horton phorton@sonatype.com

Co-Authored-By: Claude Sonnet 4.6 noreply@anthropic.com

Signed-off-by: Paul Horton phorton@sonatype.com

pyfiglet uses pkg_resources which was removed in Python 3.14. Replace with art library (MIT, no

pkg_resources dependency).

BREAKING CHANGE: pyfiglet is no longer a dependency

Co-Authored-By: Claude Sonnet 4.6 noreply@anthropic.com

Signed-off-by: Paul Horton phorton@sonatype.com

  • ci: Address all CI failures from integration branch (``dfe8dc4` <https://github.com/sonatype-nexus-community/jake/commit/dfe8dc4d52106c6c58b479a8c79891d7e7ce6386>`_)

  • Rename ScanApi → ThirdPartyAnalysisApi in iq.py (renamed in sonatype-iq-api-client 0.201.0) - Fix mypy no-redef: rename whitelist loop variable report → guide_report in oss.py - Fix mypy null safety: add or '' guard for Optional vuln.reference and vuln.display_name in oss.py - Fix flake8 E127: reformat _get_max_cvss_score() continuation lines in oss.py - Add type: ignore[import-untyped] for art in app.py (missing py.typed marker) - Add type: ignore[import-untyped] for packageurl in all five parser files (missing py.typed in lowest deps) - Add shell: bash to Run tests step in ci.yml to fix bash syntax on Windows PowerShell runners

Co-Authored-By: Claude Sonnet 4.6 noreply@anthropic.com

Signed-off-by: Paul Horton phorton@sonatype.com

  • ci: Correct typing and lowest-deps configuration for mypy (``93f7a36` <https://github.com/sonatype-nexus-community/jake/commit/93f7a366712bba3b90a06f39ac6c147d28e07a11>`_)

  • requirements.lowest.txt: replace obsolete deps (cyclonedx-bom, ossindex-lib, pyfiglet, polling2, requests) with current minimum versions of cyclonedx-python-lib, art, sonatype-guide-api-client, sonatype-iq-api-client, rich, tomli - sbom.py: ExternalReference(reference_type=…) → (type=…) for all 7 refs — cyclonedx-python-lib 11.x renamed this parameter from reference_type to type - iq.py: add null guards for internal_id (str|None) and ticket.status_url (str|None) to satisfy ThirdPartyAnalysisApi StrictStr; change source arg from ‘jake’ to ‘cyclonedx’ per 0.201.0 API requirement - environment.py: annotate seen as set[str] and suppress attr-defined on PackageMetadata.get() which is valid at runtime but absent from Protocol stub - poetry.py: suppress import-not-found on tomllib which is stdlib on 3.11+ only

Co-Authored-By: Claude Sonnet 4.6 noreply@anthropic.com

Signed-off-by: Paul Horton phorton@sonatype.com

rich <13.2.0 depends on commonmark which transitively pulls in future, exposing CVE-2022-40899. rich

13.2.0 replaced commonmark with markdown-it-py, eliminating that dependency chain entirely.

Closes #127

Co-Authored-By: Claude Sonnet 4.6 noreply@anthropic.com

Signed-off-by: Paul Horton phorton@sonatype.com

urllib3 2.2.3 carries CVE-2025-66418, CVE-2025-66471, CVE-2026-21441 (all CVSS 7.5) and

CVE-2025-50181 (CVSS 6.1). Adding an explicit floor in pyproject.toml ensures the lock file cannot regress to a vulnerable version; both API clients already allow >=2.1.0,<3.0.0 so 2.7.0 is compatible.

Co-Authored-By: Claude Sonnet 4.6 noreply@anthropic.com

Signed-off-by: Paul Horton phorton@sonatype.com

IQ Server returns 404 NotFoundException while the scan is still processing. Catch it in the polling

loop and retry (up to 30 attempts / 300 seconds), mirroring the old polling2-based behaviour. Raise RuntimeError if the timeout is exceeded.

Signed-off-by: Paul Horton phorton@sonatype.com

Co-Authored-By: Claude Sonnet 4.6 noreply@anthropic.com

The sonatype_iq_api_client selects the first accepted content type (application/json) by default.

Explicitly passing _content_type=’application/xml’ ensures IQ Server receives the correct header and can parse the CycloneDX XML body.

Signed-off-by: Paul Horton phorton@sonatype.com

Co-Authored-By: Claude Sonnet 4.6 noreply@anthropic.com

Extract Progress block into _perform_scan() so UnauthorizedException can be caught in handle_args()

after Progress has closed, making the error message visible on the terminal instead of a raw traceback.

Signed-off-by: Paul Horton phorton@sonatype.com

Co-Authored-By: Claude Sonnet 4.6 noreply@anthropic.com

  • quality: Address 4 SonarQube issues on dev/4x/integration (``958eb4b` <https://github.com/sonatype-nexus-community/jake/commit/958eb4b8c390a28a1a28e65bf8410ae1ab779991>`_)

  • oss.py: extract ‘OSS Index’ literal to _OSS_INDEX_SOURCE constant (S1192) - oss.py: remove dead else-branch in _print_oss_index_report — the inner if comp_vulns check is redundant since the outer guard already ensures it; reduces cognitive complexity from 17 to 15 (S3776) - parser_selector.py: extract _parser_from_content and _parser_from_file helpers from get_parser; reduces cognitive complexity from 19 to 2 (S3776) - requirements.py: replace reluctant quantifier .? with [^]] in _PIN_RE for more efficient regex matching (S5857)

Co-Authored-By: Claude Sonnet 4.6 noreply@anthropic.com

Signed-off-by: Paul Horton phorton@sonatype.com

Adds certifi as an explicit dependency (>=2024.7.4, patching CVE-2024-39689) and passes

ssl_ca_cert=certifi.where() to both sonatype_guide_api_client and sonatype_iq_api_client Configuration objects. The old ossindex-lib used requests which auto-loaded certifi; the new OpenAPI-generated clients use urllib3 directly and require explicit CA bundle configuration to work on systems without system CAs accessible to Python.

Also extracts multi-line f-string join expressions in _print_vulnerability to local variables,

resolving pre-existing flake8 E122 continuation-line warnings.

Signed-off-by: Paul Horton phorton@sonatype.com

Co-Authored-By: Claude Sonnet 4.6 noreply@anthropic.com

mypy reports import-not-found for tomli on environments where it is not installed (Python 3.11+

where tomllib is stdlib and tomli is absent). The existing no-redef ignore did not cover this error code.

Co-Authored-By: Claude Sonnet 4.6 noreply@anthropic.com

Signed-off-by: Paul Horton phorton@sonatype.com

Chores

Signed-off-by: Paul Horton phorton@sonatype.com

BREAKING CHANGE: minimum Poetry version is now 2.x

Co-Authored-By: Claude Sonnet 4.6 noreply@anthropic.com

Signed-off-by: Paul Horton phorton@sonatype.com

Signed-off-by: Paul Horton phorton@sonatype.com

Signed-off-by: Paul Horton phorton@sonatype.com

Signed-off-by: Paul Horton phorton@sonatype.com

Continuous Integration

Adds integration-guide job that runs jake guide -w against the real Sonatype Guide API after

build-and-test passes. Uses -w (warn-only) so incidental vulnerabilities in the CI environment do not cause failure — the test validates authentication and end-to-end connectivity only.

Secrets OSSI_USERNAME and SONATYPE_GUIDE_TOKEN are injected at step level. The job is skipped on

fork PRs where repository secrets are unavailable.

Signed-off-by: Paul Horton phorton@sonatype.com

Co-Authored-By: Claude Sonnet 4.6 noreply@anthropic.com

Features

BREAKING CHANGE: Python 3.8 and 3.9 are no longer supported

Co-Authored-By: Claude Sonnet 4.6 noreply@anthropic.com

Signed-off-by: Paul Horton phorton@sonatype.com

  • Replace hand-rolled IQ client with sonatype-iq-api-client (``8cc6492` <https://github.com/sonatype-nexus-community/jake/commit/8cc6492e788e28130f09837c99530c8a5edfaba9>`_)

  • Replace IqServerApi inner class with sonatype-iq-api-client ^0.201.0 - Use ApplicationsApi.get_applications() for internal ID lookup - Use ScanApi.scan_components() for BOM submission - Use ScanApi.get_scan_status() with polling loop (time.sleep) for results - Remove requests and polling2 dependencies - Preserve all existing CLI arguments (-s, -i, -u, -p, -st)

BREAKING CHANGE: hand-rolled IQ REST client replaced by official sonatype-iq-api-client

Co-Authored-By: Claude Sonnet 4.6 noreply@anthropic.com

Signed-off-by: Paul Horton phorton@sonatype.com

  • Replace ossindex-lib with sonatype-guide-api-client, add guide subcommand (``882fedd` <https://github.com/sonatype-nexus-community/jake/commit/882feddddb8acb73876af66ff40a0d47efa320c5>`_)

  • Replace ossindex-lib with sonatype-guide-api-client ^0.1.0 (Apache-2.0) - Rewrite OssCommand to use OSSIndexCompatibilityApi with PurlRequestPost - Add -u/–username and –token args (env: OSS_INDEX_USERNAME/OSS_INDEX_TOKEN) - Remove –clear-cache (Guide API has no local cache) - Rename subcommand from ddt to guide - Add DdtCommand subclass as deprecated alias for ddt subcommand - Update app.py to register both guide and ddt subcommands

BREAKING CHANGE: ossindex-lib replaced by sonatype-guide-api-client; ddt is deprecated in favour of

guide

Co-Authored-By: Claude Sonnet 4.6 noreply@anthropic.com

Signed-off-by: Paul Horton phorton@sonatype.com

  • Upgrade cyclonedx-bom v3 to cyclonedx-python-lib v11 (``0fa0710` <https://github.com/sonatype-nexus-community/jake/commit/0fa07106d7d1324f838c0e029b5bff0231d9983c>`_)

  • Replace cyclonedx-bom ^3.0.0 with cyclonedx-python-lib ^11.7.0 - Add tomli ^2.0 backport for Python <3.11 (poetry.lock parsing) - Implement jake/_internal/parsers/ replacing removed cyclonedx_py parsers: EnvironmentParser, RequirementsParser, PoetryParser, PipenvParser, CondaListExplicitParser, CondaListJsonParser - Update parser_selector.py to use new internal parsers - Update sbom.py: Bom(components=set(…)), tools.components.add(), make_outputter(), SchemaVersion.from_version() - Update oss.py: vulnerabilities on Bom not Component, build vuln_map from v.affects - Update iq.py: make_outputter() replacing get_instance() - Move OutputFormat/SchemaVersion imports to cyclonedx.schema

BREAKING CHANGE: cyclonedx-bom is replaced by cyclonedx-python-lib v11; CycloneDX schema 1.5 and 1.6

now supported

Co-Authored-By: Claude Sonnet 4.6 noreply@anthropic.com

Signed-off-by: Paul Horton phorton@sonatype.com

Code: - SONATYPE_GUIDE_USERNAME / SONATYPE_GUIDE_TOKEN are now the primary environment variables for

jake guide; OSS_INDEX_USERNAME / OSS_INDEX_TOKEN are accepted as fallbacks for backward compatibility - Update CLI help strings to reference Sonatype Guide, not OSS Index

Docs (README.md, docs/usage.rst, docs/configuration.rst, docs/index.rst): - Replace all OSS Index

references with Sonatype Guide - Update Python version badge to 3.10+ - Switch CI badge from CircleCI to GitHub Actions - Document SONATYPEGUIDE* env vars and fallback behaviour - Add “Migrating from OSS Index to Sonatype Guide” section covering command rename (ddt → guide), env var rename, and breaking changes - Refresh –help output blocks to reflect v4 commands and flags

Signed-off-by: Paul Horton phorton@sonatype.com

Co-Authored-By: Claude Sonnet 4.6 noreply@anthropic.com

Refactoring

_build_vulnerability was still at 17 after the prior refactor. Extracting the ratings construction

into _build_ratings removes the outer if-guard and two redundant ternaries (score/severity were guarded by the outer if but repeated the condition), bringing _build_vulnerability to <=15.

Co-Authored-By: Claude Sonnet 4.6 noreply@anthropic.com

Signed-off-by: Paul Horton phorton@sonatype.com

Fixes two SonarQube S3776 violations introduced on dev/4x/integration: - iq.py: extract

_poll_scan_result() to bring handle_args from 16 to <=15 - oss.py: extract _build_vulnerability(), _apply_whitelist(), and _process_components() to bring _perform_scan from 64 to <=15

Co-Authored-By: Claude Sonnet 4.6 noreply@anthropic.com

Signed-off-by: Paul Horton phorton@sonatype.com

v3.1.0 (2026-05-12)

Bug Fixes

Chores

Signed-off-by: Paul Horton phorton@sonatype.com

Signed-off-by: Paul Horton phorton@sonatype.com

Signed-off-by: Paul Horton phorton@sonatype.com

Signed-off-by: Paul Horton phorton@sonatype.com

Signed-off-by: Paul Horton phorton@sonatype.com

Signed-off-by: Paul Horton phorton@sonatype.com

Signed-off-by: Paul Horton phorton@sonatype.com

Signed-off-by: Paul Horton phorton@sonatype.com

Signed-off-by: Paul Horton phorton@sonatype.com

Features

Signed-off-by: Paul Horton phorton@sonatype.com

v3.0.14 (2024-07-18)

Bug Fixes

v3.0.13 (2024-07-18)

Bug Fixes

v3.0.12 (2024-04-18)

Bug Fixes

v3.0.11 (2023-12-08)

Bug Fixes

v3.0.10 (2023-12-08)

Bug Fixes

v3.0.9 (2023-12-08)

Bug Fixes

v3.0.8 (2023-12-08)

Bug Fixes

v3.0.3 (2023-12-08)

Bug Fixes

v3.0.2 (2023-12-08)

Bug Fixes

v3.0.1 (2023-05-30)

Bug Fixes

@daviskirk suggestion

Co-authored-by: Davis Kirkendall 1049817+daviskirk@users.noreply.github.com

Documentation

Co-authored-by: Dan Rollo danrollo@gmail.com

v3.0.0 (2022-12-02)

Bug Fixes

Features

closes #104

BREAKING CHANGE: changed iq -t switch to -st, use common -f argument for input file

Co-authored-by: Dan Rollo danrollo@gmail.com

Breaking Changes

  • Changed iq -t switch to -st, use common -f argument for input file

v2.1.1 (2022-06-09)

Bug Fixes

Signed-off-by: Paul Horton phorton@sonatype.com

Continuous Integration

Signed-off-by: Paul Horton phorton@sonatype.com

v2.1.0 (2022-06-09)

Chores

Signed-off-by: Paul Horton phorton@sonatype.com

Continuous Integration

Signed-off-by: Paul Horton phorton@sonatype.com

Features

v2.0.0 (2022-03-10)

v1.4.5 (2022-02-15)

Bug Fixes

Signed-off-by: Paul Horton phorton@sonatype.com

feat: support for oss index authentication

Signed-off-by: Paul Horton phorton@sonatype.com

Chores

BREAKING CHANGE: Notion of default schema version has been removed by upstream library and replaced

with latest supported schema version

Signed-off-by: Paul Horton phorton@sonatype.com

Signed-off-by: Paul Horton phorton@sonatype.com

Features

Signed-off-by: Paul Horton phorton@sonatype.com

Signed-off-by: Paul Horton phorton@sonatype.com

  • port of fix for #112

  • resolved a bunch of typing issues

  • ci: fixed parameter references

  • ci: fixed mypy

  • fix: updated ossindex-lib to latest RC which now appears to properly resolve caching issues #100

  • defined lowest dependencies and aligned

  • WIP: JSON output updated to use JSON serialisation - All tests passing locally

Breaking Changes

  • Notion of default schema version has been removed by upstream library and replaced with latest supported schema version

v1.4.4 (2022-02-08)

Bug Fixes

fix: Vulnerability rating score now formatted to 1 decimal place

Signed-off-by: Paul Horton phorton@sonatype.com

v1.4.3 (2022-02-03)

Bug Fixes

Signed-off-by: Paul Horton phorton@sonatype.com

v1.4.2 (2022-01-31)

Bug Fixes

Signed-off-by: Paul Horton phorton@sonatype.com

v1.4.1 (2022-01-24)

Bug Fixes

fix: complete affects for vulnerabilities received from OSS Index

Signed-off-by: Paul Horton phorton@sonatype.com

v1.4.0 (2022-01-13)

Features

Signed-off-by: Paul Horton phorton@sonatype.com

  • feat: adopted latest RC for CycloneDX libraries to enable 1.4 support

  • fixes

  • chore: bumped to released versions of CyloneDX libraries`

v1.3.0 (2022-01-11)

Features

v1.2.3 (2021-12-22)

Bug Fixes

Signed-off-by: Paul Horton phorton@sonatype.com

v1.2.2 (2021-12-15)

Bug Fixes

v1.2.1 (2021-12-15)

Bug Fixes

Signed-off-by: Paul Horton phorton@sonatype.com

Continuous Integration

Signed-off-by: Paul Horton phorton@sonatype.com

v1.2.0 (2021-12-13)

Bug Fixes

Signed-off-by: Paul Horton phorton@sonatype.com

Chores

Signed-off-by: Paul Horton phorton@sonatype.com

Features

Signed-off-by: Paul Horton phorton@sonatype.com

v1.1.5 (2021-12-09)

Bug Fixes

Signed-off-by: Paul Horton phorton@sonatype.com

Features

Signed-off-by: Paul Horton phorton@sonatype.com

Signed-off-by: Paul Horton phorton@sonatype.com

v1.1.4 (2021-12-07)

Bug Fixes

Signed-off-by: Paul Horton phorton@sonatype.com

Continuous Integration

Signed-off-by: Paul Horton phorton@sonatype.com

v1.1.3 (2021-11-10)

Bug Fixes

v1.1.2 (2021-11-10)

Bug Fixes

v1.1.1 (2021-11-09)

Bug Fixes

v1.1.0 (2021-10-22)

Features

v1.0.1 (2021-10-20)

Bug Fixes

v1.0.0 (2021-10-18)

Bug Fixes

Signed-off-by: Paul Horton phorton@sonatype.com

Signed-off-by: Paul Horton phorton@sonatype.com

Signed-off-by: Paul Horton phorton@sonatype.com

Build System

Signed-off-by: Paul Horton phorton@sonatype.com

Continuous Integration

Signed-off-by: Paul Horton phorton@sonatype.com

Signed-off-by: Paul Horton phorton@sonatype.com

Signed-off-by: Paul Horton phorton@sonatype.com

Signed-off-by: Paul Horton phorton@sonatype.com

Signed-off-by: Paul Horton phorton@sonatype.com

Signed-off-by: Paul Horton phorton@sonatype.com

Signed-off-by: Paul Horton phorton@sonatype.com

Signed-off-by: Paul Horton phorton@sonatype.com

Signed-off-by: Paul Horton phorton@sonatype.com

Signed-off-by: Paul Horton phorton@sonatype.com

Signed-off-by: Paul Horton phorton@sonatype.com

Signed-off-by: Paul Horton phorton@sonatype.com

Signed-off-by: Paul Horton phorton@sonatype.com

Signed-off-by: Paul Horton phorton@sonatype.com

Features

Signed-off-by: Paul Horton phorton@sonatype.com

Signed-off-by: Paul Horton phorton@sonatype.com

Signed-off-by: Paul Horton phorton@sonatype.com

Refactoring

BREAKING CHANGE: jake has been re-written in large part to consume two new external libraries: -

cyclonedx-python-lib which gives jake ability to more easily consume your depenedencies in a variety of manners (environment, Pipfile.lock, poetry.lock, requirements.txt) and support output in both JSON and XML at different schema versions - ossindex-lib: most of the functionallity for talking to OSS Index that was in jake has been externalised to this library to allow others to consume it

Signed-off-by: Paul Horton phorton@sonatype.com

Signed-off-by: Paul Horton phorton@sonatype.com

Signed-off-by: Paul Horton phorton@sonatype.com

Breaking Changes

  • jake has been re-written in large part to consume two new external libraries:

v0.2.77 (2021-07-06)

Bug Fixes

v0.2.76 (2021-06-29)

Bug Fixes

v0.2.75 (2021-05-25)

v0.2.74 (2021-05-25)

v0.2.73 (2021-05-25)

v0.2.72 (2021-05-13)

Bug Fixes

v0.2.71 (2021-05-13)

Bug Fixes

v0.2.70 (2021-04-07)

Bug Fixes

v0.2.69 (2021-03-25)

Bug Fixes

v0.2.68 (2021-03-23)

v0.2.67 (2021-03-18)

v0.2.66 (2021-02-11)

v0.2.65 (2021-01-27)

v0.2.64 (2020-12-17)

v0.2.63 (2020-12-17)

v0.2.62 (2020-12-17)

v0.2.61 (2020-12-17)

v0.2.60 (2020-12-16)

v0.2.59 (2020-12-09)

Bug Fixes

v0.2.58 (2020-12-07)

v0.2.57 (2020-11-12)

v0.2.56 (2020-11-12)

v0.2.55 (2020-11-12)

v0.2.54 (2020-11-12)

v0.2.53 (2020-11-12)

v0.2.52 (2020-11-12)

v0.2.51 (2020-11-11)

v0.2.50 (2020-11-09)

v0.2.49 (2020-09-25)

v0.2.48 (2020-09-22)

v0.2.47 (2020-09-22)

v0.2.46 (2020-09-22)

v0.2.45 (2020-09-21)

v0.2.44 (2020-09-21)

v0.2.43 (2020-09-21)

v0.2.42 (2020-09-21)

v0.2.41 (2020-09-21)

v0.2.40 (2020-09-21)

v0.2.39 (2020-09-21)

v0.2.38 (2020-09-21)

v0.2.37 (2020-09-21)

v0.2.36 (2020-09-21)

v0.2.35 (2020-09-21)

v0.2.34 (2020-09-21)

v0.2.33 (2020-09-21)

v0.2.32 (2020-09-21)

v0.2.31 (2020-09-21)

v0.2.30 (2020-09-21)

v0.2.29 (2020-09-21)

v0.2.28 (2020-09-18)

v0.2.27 (2020-09-11)

v0.2.26 (2020-09-10)

v0.2.25 (2020-09-03)

v0.2.24 (2020-06-05)

v0.2.23 (2020-05-29)

v0.2.22 (2020-05-29)

v0.2.21 (2020-05-29)

v0.2.20 (2020-05-29)

v0.2.19 (2020-05-29)

v0.2.18 (2020-05-29)

v0.2.17 (2020-05-29)

v0.2.16 (2020-05-29)

v0.2.15 (2020-05-28)

v0.2.14 (2020-05-28)

v0.2.13 (2020-05-28)

v0.2.12 (2020-05-28)

v0.2.11 (2020-05-28)

v0.2.10 (2020-05-28)

v0.2.9 (2020-05-28)

v0.2.8 (2020-05-28)

v0.2.7 (2020-05-28)

v0.2.6 (2020-05-28)

v0.2.5 (2020-05-28)

v0.2.4 (2020-05-28)

v0.2.3 (2020-05-21)

v0.2.2 (2020-05-20)

v0.2.1 (2020-05-12)

v0.2.0 (2020-05-12)

v0.1.7 (2020-05-01)

v0.1.6 (2020-04-30)

v0.1.5 (2020-04-30)

v0.1.4 (2020-04-24)

v0.1.3 (2020-04-24)

v0.1.2 (2020-04-23)

v0.1.1 (2020-04-23)

v0.1.0 (2020-04-23)

v0.0.21 (2020-01-11)

v0.0.20 (2020-01-08)

v0.0.19 (2020-01-08)

v0.0.18 (2020-01-06)

v0.0.17 (2020-01-03)

v0.0.16 (2019-11-13)

v0.0.15 (2019-11-11)

v0.0.14 (2019-11-08)

v0.0.13 (2019-11-06)

v0.0.12 (2019-11-06)

v0.0.10 (2019-11-06)

v0.0.9 (2019-11-06)

v0.0.8 (2019-11-06)

v0.0.7 (2019-11-06)

v0.0.6 (2019-11-06)

v0.0.5 (2019-11-05)

v0.0.4 (2019-11-05)

v0.0.3 (2019-11-05)

v0.0.2 (2019-11-05)

v0.0.1 (2019-11-05)

v0.0.0 (2019-11-05)